Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Migration

VAE to CADP for C

search

VAE to CADP for C

Prerequisites

  • Data Security Manager (DSM) is up and running at a supported version. Refer to the DSM Documentation for details.

  • A supported Vormetric Application Encryption (VAE) version is configured with the supported DSM version. Refer to the VAE documentation for details.

  • CipherTrust Manager is up and running at a supported version. Refer to CipherTrust Manager Deployment for details.

If you are running an unsupported version, upgrade your environment to a supported version before proceeding with the migration. Refer to the corresponding product documentation for upgrade instructions.

Supported Versions

Current Setup

ProductVersion
Vormetric Application Encryption (VAE)6.4.3.2 or higher
DSM6.4.5 or higher

Target Setup

ProductVersion
CipherTrust Application Data Protection (CADP) for C8.14.0 (GA on February 10, 2023)
CipherTrust Manager2.9.0

Migration Steps

Migrating VAE PKCS11 C Library to CADP for C PKCS11 Library

  1. Disable all key operations on the DSM (except read operations). Refer to the DSM documentation for details.

  2. Migrate your DSM to a supported CipherTrust Manager version. Refer to Migrate from Data Security Manager for details.

  3. Install CADP for C on client's machine where VAE is currently configured (with DSM). Refer to the CADP for C installation installation for details.

    While installing CADP for C, the installer prompts you to confirm backward compatibility. Select 'Yes' or press Enter to accept the default setting. By default, CADP for C works in the default Legacy VAE mode. This ensures the current VAE configuration is retained to support backward compatibility.

    Refer to the PKCS#11 configuration for details on supported CADP modes - Legacy VAE and CipherTrust.

  4. Refer to the sample provided in Github and update your application accordingly.

    Pkcs11Interop is built on .Net Standard 2.0. For information about the supported frameworks of .Net Standard 2.0, refer to the Microsoft documentation.

  5. Configure CADP for C client with the CipherTrust Manager. Refer to the CADP for C installation for details.

  6. Verify the communication between the CADP for C client and the CipherTrust Manager is successful.

    The above steps are for migration of one client to CADP for C. Similarly, you can migrate your other existing VAE clients to CADP for C.

When you migrate VAE Java Wrapper clients to CADP for C Java Wrapper, you need to perform additional steps. Refer to Migrating VAE Java Wrapper to CADP for C Java Wrapper.

Migrating VAE Java Wrapper to CADP for C Java Wrapper

From VAE Java Custom Wrapper

The CADP for C installation includes the latest JAR files required to use CADP for C Java Wrapper. Update your application to use the latest JAR files available with the CADP for C installation. No specific migration steps are needed.

From Sun Java/IBM Java Wrapper

To migrate from Sun Java/IBM Java Wrapper to CADP for C Java Wrapper, update the import statements in your existing application/sample. Refer to the following table for import statements.

Replace this statementWith this statement
sun.security.pkcs11.wrapper.CK_ATTRIBUTEcom.vormetric.pkcs11.wrapper.CK_ATTRIBUTE
sun.security.pkcs11.wrapper.CK_MECHANISMcom.vormetric.pkcs11.wrapper.CK_MECHANISM
sun.security.pkcs11.wrapper.CK_SLOT_INFOcom.vormetric.pkcs11.wrapper.CK_SLOT_INFO
sun.security.pkcs11.wrapper.CK_VERSIONcom.vormetric.pkcs11.wrapper.CK_VERSION
sun.security.pkcs11.wrapper.PKCS11com.vormetric.pkcs11.wrapper.PKCS11
sun.security.pkcs11.wrapper.PKCS11Exceptioncom.vormetric.pkcs11.wrapper.PKCS11Exception
sun.security.pkcs11.wrapper.PKCS11Constants.*com.vormetric.pkcs11.wrapper.PKCS11Constants.*

Migrating VAE .NET Framework Wrapper to CADP for C .NETCORE Wrapper

  1. Disable all key operations on the DSM (except read operations). Refer to the DSM documentation for details.

  2. Migrate your DSM keys to a supported CipherTrust Manager version. Refer to Migrate from Data Security Manager for details.

  3. Install CADP for C on the client's machine where VAE is currently configured (with DSM).

    After installing CADP for C, the PKCS11Interop library is available at the default path, mentioned below:

    • Windows: <C:\Program Files\CipherTrust\CADP_for_C\wrapper\.NET Core\Pkcs11Interop.dll>

    • Linux: </opt/CipherTrust/CADP_for_C/wrapper/dotNET Core/Pkcs11Interop.dll>

  4. Perform the below steps required for the following tasks in the application:

    Task.Net Framework (Old).NetCore sample (New)
    NamespaceNAusing Net.Pkcs11Interop.HighLevelAPI.Factories
    Create P11 objectusing (Pkcs11 pkcs11 = new Pkcs11(Settings.Pkcs11LibraryPath, false))using (IPkcs11Library pkcs11Library =
    Settings.Factories.Pkcs11LibraryFactory.LoadPkcs11
    Library
    (Settings.Factories, Settings.Pkcs11LibraryPath, Settings.AppType))
    Find first slot with token presentSlot slot = Helpers.GetUsableSlot(pkcs11);ISlot slot = Helpers.GetUsableSlot(pkcs11Library);
    Open RW sessionusing (Session session = slot.OpenSession(false))using (ISession session = slot.OpenSession(SessionType.ReadWrite))
    Replace the references of Class names with Interfaces respectivelyObjectHandle, Mechanism,ObjectAttributeIObjectHandle, IMechanism,IObjectAttribute
    Update SettingsNARefer to Settings.cs to update settings in your application.
    Add object attribute in listobjectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, (uint)CKO.CKO_SECRET_KEY));objectAttributes.
    Add(session.Factories.ObjectAttributeFactory. Create(CKA.CKA_CLASS, (uint)CKO.CKO_SECRET_KEY));
    Create Object handleObjectHandle createdKey = session.CreateObject(objectAttributes);IObjectHandle createdKey = session.CreateObject(objectAttributes);
    Create Mechanismmechanism = new Mechanism(CKM.CKM_SHA512);mechanism = session.Factories.MechanismFactory.
    Create(CKM.CKM_SHA512);

    For more details, refer to the sample provided on Github.

  5. Update the CADP_PKCS11.properties file (present in the installation directory) for the configuration settings. Refer to the CADP for C documentation for details.

Switching Back to VAE

In future, if you want to revert to the VAE installation, run the CADP for C installer with the -e option. This removes the symlink and restores the previous VAE installation.